Does a policy that addresses the need for risk management exist?
Is the acceptable risk posture for the organization included in the policy?
Does the policy include details about a risk assessment?
Is there a section in the policy that includes multi-perspectives on risk including the following:
• Threat
• Asset
• Vulnerability space
• Business impact assessment
Is there a section in the policy that includes reporting results of risk assessments?
Is there a section in the policy that includes a remediation analysis report based on risk assessments (i.e., how to reduce risk or increase security posture)?
Is there a procedure in existence that describes how to implement and enforce risk management policies?
Does the procedure include a breadth of scope? Does the breadth of scope include the following:
• Threat
• Asset
• Vulnerability space
• Business impact assessment
Does the procedure include depth of scope? Does the depth of scope include the following:
• Interviews (asking)
• Verification (seeing)
• Validation (hands-on)
Does the organization practice the procedures described above?
Is there currently documentation for compliance management for the threats found in the risk assessment?
Is there currently documentation addressing business continuity?